Second Discussion of LuxTrust Root Inclusion Request

[Kathleen Wilson]

The first discussion of LuxTrust's root inclusion request was here:
https://groups.google.com/d/msg/mozilla.dev.security.policy/47Jz7f8E4RI/sT1wTJ2RIEMJ

The discussion resulted in 3 action items, and LuxTrust has responded to
those action items here:
https://groups.google.com/d/msg/mozilla.dev.security.policy/47Jz7f8E4RI/erw3ToheAQAJ

To summarize:

> 1) Resolve the concerns that were raised about CRL and OCSP.

LuxTrust plans the implementation of ... solutions by the end of January
2016.

We will need to check the new OCSP solution before closing this second
discussion. But, we can review the updated CP/CPS documents in the
meantime.

> 2) Stop issuing certs with SHA-1 based signatures, and certs with
"Netscape Cert Type" extension (especially in this CA hierarchy)

LuxTrust confirms that no SSL and code-signing certificate issued under
the LTGRCA hierarchy use the SHA-1 hash algorithm, as described in the
SSL and code signing profiles of the LTGRCA CP v1.22.
Netscape Cert Type: LuxTrust confirms that the certificates issued under
the LTGRCA hierarchy do not contain the “Netscape Cert Type” extension,
as described in the certificate profiles of the LTGRCA CP v1.22.

> 3) Update the CPS documents to respond to Ryan's comments in the
discussion

To address these concerns, LuxTrust has updated their CP/CPS documents,
and provided them on their website:

Document Repository: https://repository.luxtrust.lu

LTGRCA CP v1.22:
https://www.luxtrust.lu/upload/data/repository/LuxTrust%20Global%20Root%20CA%20-%20Certificate%20Profiles%20v1%2022.pdf

LTGRCA CPS v1.09:
https://www.luxtrust.lu/upload/data/repository/LuxTrust_Global_Root%20CA_Certification_Practice_Statements_v1_09.pdf

LTSSLCA CPS v1.3:
https://www.luxtrust.lu/upload/data/repository/LuxTrust%20SSL%20CA%20CPS%20v1.3.pdf

The updated documents look good to me, and I believe the updates address
the concerns that were raised in the first discussion, here:
https://groups.google.com/d/msg/mozilla.dev.security.policy/47Jz7f8E4RI/ACHCpG2KCpYJ

So, please review their updated CP/CPS documents, and respond in this
discussion if you have any further questions or concerns about this
request to include the "LuxTrust Global Root" root certificate, turn on
the Websites trust bit**, and enable EV treatment.

Thanks,
Kathleen

** The original request was to enable the Code Signing trust bit too,
but Mozilla is no longer enabling the Code Signing trust bit because we
plan to remove that trust bit in the next version of Mozilla's CA
Certificate Policy.
https://wiki.mozilla.org/CA:CertificatePolicyV2.3

[Kathleen Wilson]

On 12/17/15 5:34 PM, Kathleen Wilson wrote:
> The first discussion of LuxTrust's root inclusion request was here:
> https://groups.google.com/d/msg/mozilla.dev.security.policy/47Jz7f8E4RI/sT1wTJ2RIEMJ
>
>

This discussion is currently on hold, because the CA would like to
request inclusion of the new 'LuxTrust Global Root 2' root certificate
instead of the previous 'LuxTrust Global Root CA' root cert. So, we are
awaiting their updated information.

Kathleen

[Kathleen Wilson]

The CA has resolved the questions and concerns raised during the first discussion, and has provided an updated root certificate with corresponding updated documentation and audit statement.

Please review this request from LuxTrust to include the "LuxTrust Global Root 2" certificate, turn on the Websites trust bit, and enable EV treatment.

The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=944783

Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=8777892

This root signs internally-operated subordinate CAs that issue SSL and code signing certificates.

Documents are in French and English.
CA Document Repository: https://repository.luxtrust.lu
CP: https://www.luxtrust.lu/upload/data/repository/LuxTrust%20Global%20Root%20CA%20-%20Certificate%20Profiles%20v1%2022.pdf
CPS: https://www.luxtrust.lu/upload/data/repository/LuxTrust_Global_Root%20CA_Certification_Practice_Statements_v1_09.pdf
SSL CPS: SSL CPS: https://www.luxtrust.lu/upload/data/repository/LuxTrust%20SSL%20CA%20CPS%20v1.3.pdf

SSL CPS section 3.2.2: In the particular case of SSL, RAs operating under the LuxTrust SSL CA shall determine whether the domain referenced in the SSL Certificate application is owned and controlled by the subscriber.
LuxTrust validates that the Subscriber has the right to control the domain names using the following verification procedures:
[1] Communicating with the technical contact information provided by the Subscriber in the order form.
[2] Communicating directly with the Domain Name Registrant using the contact information listed in the WHOIS record’s “registrant”, “technical”, or “administrative” field;
[3] Relying upon a Domain Authorization Document which contains the signature of an authorized representative of the domain holder, a date that is on or after the certificate request and a statement confirming the Subscriber’s control over the domain names in the certificate. LuxTrust also relies on a reliable third-party, the Chamber of Commerce of Luxembourg, to confirm the authenticity of the Domain Authorization Document.

Root Certificate Download URL:
https://ca.luxtrust.lu/LTGRCA2.crt

Test Website: https://ltsslca5.trustme.lu/

EV Policy OID: 1.3.171.1.1.10.5.2

CRL:
http://crl.luxtrust.lu/LTGRCA2.crl
http://crl.luxtrust.lu/LTSSLCA5.crl
SSL CPS section 4.9.7: A CRL is issued each 4 hours, at an agreed time.

OCSP:
http://ssl.ocsp.luxtrust.lu
http://ltgroot.ocsp.luxtrust.lu

Annual audits are performed by LSTI, according to the ETSI TS 102 042 criteria.
Audit Statement: https://bugzilla.mozilla.org/attachment.cgi?id=8777887
http://www.lsti-certification.fr/images/liste_entreprise/Liste%20PSCe.pdf

This continues the discussion of the request from LuxTrust to include the "LuxTrust Global Root 2" certificate, turn on the Websites trust bit, and enable EV treatment. At the conclusion of this discussion I will provide a summary of issues noted and action items. If there are outstanding issues, then additional discussion may be needed as follow-up. If there are no outstanding issues, then I will recommend approval of this request in the bug.

Kathleen

[Kathleen Wilson]

Does anyone have comments, questions, or concerns about this request from LuxTrust to include the "LuxTrust Global Root 2" certificate, turn on the Websites trust bit, and enable EV treatment?

If not, I will close this discussion and recommend approval in the bug.

Thanks,
Kathleen

[Kathleen Wilson]

On Thursday, September 8, 2016 at 9:07:33 AM UTC-7, Kathleen Wilson wrote:
> Does anyone have comments, questions, or concerns about this request from LuxTrust to include the "LuxTrust Global Root 2" certificate, turn on the Websites trust bit, and enable EV treatment?
>
> If not, I will close this discussion and recommend approval in the bug.

I am leaving this discussion open, due to a request for more time to review and comment on this CA's updated CP/CPS.

Thanks,
Kathleen

[Ryan Sleevi]

Hi Kathleen,

I've reviewed this CP/CPS set again, keeping in mind the previous comments on the first round of discussion, and I don't believe there's anything noted that should prevent this inclusion from continuing.

[Kathleen Wilson]

On Wednesday, September 21, 2016 at 9:04:53 PM UTC-7, Ryan Sleevi wrote:
> I've reviewed this CP/CPS set again, keeping in mind the previous comments on the first round of discussion, and I don't believe there's anything noted that should prevent this inclusion from continuing.

Thanks, Ryan!

I plan to close this discussion and recommend approval in the bug.

Thanks,
Kathleen

[Kathleen Wilson]

On Thursday, August 4, 2016 at 10:51:58 AM UTC-7, Kathleen Wilson wrote:
> On Wednesday, March 23, 2016 at 2:08:19 PM UTC-7, Kathleen Wilson wrote:
> > On 12/17/15 5:34 PM, Kathleen Wilson wrote:
> > > The first discussion of LuxTrust's root inclusion request was here:
> > > https://groups.google.com/d/msg/mozilla.dev.security.policy/47Jz7f8E4RI/sT1wTJ2RIEMJ
> > >
>

> The CA has resolved the questions and concerns raised during the first discussion, and has provided an updated root certificate with corresponding updated documentation and audit statement.
>
> Please review this request from LuxTrust to include the "LuxTrust Global Root 2" certificate, turn on the Websites trust bit, and enable EV treatment.
>
> The request is documented in the following bug:
> https://bugzilla.mozilla.org/show_bug.cgi?id=944783
>
> Summary of Information Gathered and Verified:
> https://bugzilla.mozilla.org/attachment.cgi?id=8777892
>
> This root signs internally-operated subordinate CAs that issue SSL and code signing certificates.
>
> Documents are in French and English.
> CA Document Repository: https://repository.luxtrust.lu
> CP: https://www.luxtrust.lu/upload/data/repository/LuxTrust%20Global%20Root%20CA%20-%20Certificate%20Profiles%20v1%2022.pdf
> CPS: https://www.luxtrust.lu/upload/data/repository/LuxTrust_Global_Root%20CA_Certification_Practice_Statements_v1_09.pdf
> SSL CPS: SSL CPS: https://www.luxtrust.lu/upload/data/repository/LuxTrust%20SSL%20CA%20CPS%20v1.3.pdf
>

Thanks again to those of you who participated in the discussions about LuxTrust's root inclusion request. The updated request is to include the "LuxTrust Global Root 2" certificate, turn on the Websites trust bit, and enable EV treatment.

I am now closing this discussion and will recommend approval in the bug.

https://bugzilla.mozilla.org/show_bug.cgi?id=944783

Any further follow-up on this request should be added directly to the bug.

Thanks,
Kathleen